Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

disabling ssh aes256-hmac-md5 and 3des-hmac-md5 on Pix 8.x

I am currently logging into the Pix 8.0(2) using

ssh version 2. This is my test box:

aaa authentication ssh console ABC LOCAL

aaa accounting ssh console ABC

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

I want to only allow people to ssh into this

pix with AES256-HMAC-SHA1. Furthermore, I want

to disable anyone from ssh into this pix using

either AES256-HMAC-MD5 or 3DES-HMAC-MD5. How

do I go about accomplishing this?

Here is an example:

[root@Linux root]# ssh -v -c 3des -l test1 192.168.1.202

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client 3des-cbc hmac-md5 none

debug1: kex: client->server 3des-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: Next authentication method: password

test1@192.168.1.202's password:

[root@Linux root]# ssh -v -c aes256-cbc -l test1 192.168.1.202

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-md5 none

debug1: kex: client->server aes256-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: Authentications that can continue: password

debug1: Next authentication method: password

test1@192.168.1.202's password:

[root@Linux root]# ssh -v -c aes256-cbc -m hmac-sha1 -l test1 192.168.1.202

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-sha1 none

debug1: kex: client->server aes256-cbc hmac-sha1 none

debug1: Authentications that can continue: password

debug1: Next authentication method: password

test1@192.168.1.202's password:

1 REPLY
Silver
623
Views
0
Helpful
1
Replies
CreatePlease to create content